In today’s volatile digital environment, resilience should include consideration of how well companies understand, anticipate, and are prepared to recover from the potential impact of a major cyber incident. CISOs and their teams are encouraged to initiate a dialogue with senior leaders that challenges the assumption that the organization can either absorb a cyberattack or, at worst, recover in a few days. They should explore the ability to sustain operations if the disruption lasts for multiple weeks while managing media, regulatory and public attention.

“There is a plan”

When CEOs are asked how they approach the possibility of a cyberattack, most say, "There is a plan” and “It's high on the board’s agenda." Experience from the last few months suggests the more pertinent questions are: How prepared are you as a business to face a four- to six-week outage as a result of a cyberattack? How would it impact customer service? What would it mean for your call and distribution centers? Would you be able to cover the next payroll? Could you pay suppliers? How might an outage impact the company’s regulatory and legal requirements?

Resilience demands an assessment of the key operational processes of the business and a strategy for protecting them.

In today's market reality, a major cyber event is almost inevitable for most companies. With that in mind, thinking about the evolving mindset of security professionals, the focus for many CISOs today is in equal parts likelihood reduction and consequence management. Clearly, it’s not enough to detect a successful breach, it’s equally important to act fast enough to limit the damage. Indeed, malicious code has been known to lie dormant within a breached environment for months before surreptitiously activating and re-infecting the system.

In recent years, hackers have increased their focus on two types of cyberattack.

  • Ransomware attacks: Clearly, there have been a number of incidents in which an attacker breaches an organization and encrypts its data, rendering it inaccessible until the victim pays an exorbitant ransom to regain access. Except now, attackers are using double extortion tactics, throwing in the additional threat of publicly leaking the encrypted data if an additional ransom payment isn’t made, while simultaneously targeting the organization’s online backups.
  • Supply chain attacks: Increasingly, attackers are targeting companies that produce important software and are vital logistical links in much larger, broader networks. From the hacker’s perspective, infiltrating a smaller target requires much less effort to inflict major damage.

While these attacks aren’t overly sophisticated in terms of methodology — they still use phishing, password spraying and vulnerability scanning — they’re incredibly effective. We expect these kinds of attacks to increase going forward. For ransomware specifically, as long as companies are willing to pay the ransom, this problem will likely persist.  

The business has to play an active role in digital resilience: scenario simulations, knowing where the dependencies are, plans that make clear what they can do and what they’re not able to do. So, there can be a collective response.

Karel Dekyvere
Director, Technology Advisory
KPMG in Belgium

In an increasingly interconnected and interdependent digital world, these events, such as the WannaCry attacks a few years ago and the Colonial Pipeline attack earlier in 2021, can have much broader and systemic implications on an economy, motivating regulators across the globe to issue new rules and directives for a broad array of industries. Perhaps the most pertinent example is the European Union’s 2016 Network and Information Systems (NIS) Directive, which aimed to create a high standard of network and information security, and its proposed replacement, NIS2, which looks to address the growing range of digital infrastructure on which our societies now depend. Sector specific regulatory initiatives, such as the Digital Operational Resilience Act in Europe, will also place increasing obligations on industry around  incident response, vulnerability disclosure, penetration testing, encryption and other areas.  

What’s your move?

The CISO and their team can’t ensure cyber resilience on their own. It should be an organization-wide effort with buy-in and active support from senior management, finance, marketing, and other stakeholders. There’s an interesting dynamic developing, particularly in Europe, where a number of roles — CISOs, Chief Risk Officers (CROs), Chief Data Officers (CDOs) — are evolving toward what might be referred to as a Chief Digital Resilience Officer, which entails a broader agenda of shared security, technology risk and business continuity priorities.

CISOs should educate leadership about the risk and consequences of a breach and why cyber resilience is so important. However, avoid excessive technical jargon — talk about the threat landscape, the cost of failure, time to recover and potential impact.

Take the time to review your organizational cyber resilience plans and strive to ensure they’re fit for purpose. Plans that were previously developed for physical resiliency issues are likely not suitable for a cyber event. There are several key differences between physical and cyber resilience planning: in cyber, there is often a large degree of uncertainty as to what has actually happened, when, and how; the impact is often organization-wide, as opposed to relegated to a specific location (and it often extends beyond the organization); and it is often assumed that IT has the capacity to help manage the incident — which may or may not be the case. 

Don’t wait for a cyber event to transpire to test your plans. Regularly simulating real-world cyberattacks with executives is important and helps them understand the potential impact of a cyberattack on the organization, and what it takes to respond and recover. You cannot fully replicate a real-world event, but the better-prepared the organization is, the better the chances of managing incidents more effectively.

Of course, cyber teams still have to focus on security fundamentals to strengthen resilience across the organization. Indeed, many breaches are successful because the target didn't do the easy work like identifying critical assets, securing accounts with strong passwords and patch management. However, in today’s fast-paced digital world, this alone is not sufficient. Organizations should supplement the basics with solid detection capabilities, an advanced ability to respond and recover rapidly, and a focus on managing the consequences of a cyberattack.

What to do right now, or next? Identify the five to ten business processes and their dependencies on key supplies suppliers that pose the greatest risk, as measured in financial impact, data corruption or regulatory triggers. This can give you a clear view of priorities, so you can implement the proper controls and strategies.

Karel Dekyvere
Director, Technology Advisory
KPMG in Belgium

Some key actions to consider for 2022

  1. Consider how long you can sustain the business if significant functions are down and what it would mean from a customer impact perspective.
  2. Think about how a significant cyber event would affect your dependency on suppliers.
  3. Elevate the topic of cyber security and cyber resilience to board level.
  4. Question whether your current resilience plans are fit for purpose for a cyberattack and take appropriate corrective measures.
  5. Have the humility to acknowledge that your assumptions might be wrong and an alternate plan that can be operationalized quickly.
  6. Help the C-suite develop their crisis management capabilities and their individual roles in the event of a cyberattack through regular, real-world simulations.
  7. Focus on the fundamentals, but also invest in detection, rapid response and recovery capabilities.